From GOTO London 2015 Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches. We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.

1. How to effect change
in the Epistemological
Wasteland of
Application Security
James Wickett

3. How to effect change
in the Epistemological
wasteland of
Application Security
- @wickett

4. @wickett #ruggeddevops
James Wickett
SR. ENGINEER, SIGNAL SCIENCES
AUSTIN, TX
HANDS-ON GAUNTLT BOOK
DEVOPS DAYS GLOBAL ORGANIZER
LASCON ORGANIZER

5. Application Security Monitoring and Instrumentation
Application Security you can use!
An approach that integrates with devops organizations
Productizing the Etsy security approach

6. signalsciences.com

7. @wickett #ruggeddevops
Software development has been a constant experiment in how we
know anything
Application Security abdicated runtime responsibility and effectively
abdicated development responsibility through incoherent
philosophical approaches and fostering organizational silos
DevOps is here to stay, and security can actually be a part of it
Ops found a way to add value, security needs to find that same
path
There are three ways we can add value: at development, at deploy,
at runtime
Summary

8. @wickett #ruggeddevops
A study in how we
know anything in
Application Security

9. @wickett #ruggeddevops
Spoiler Alert:
We don’t !

10. @wickett #ruggeddevops
once upon a time…

11. @wickett #ruggeddevops
Epistemological
Problem of Software
Development

12. @wickett #ruggeddevops
We optimize for the
probable

13. @wickett #ruggeddevops
Unit Testing

14. @wickett #ruggeddevops
Integration Testing

15. @wickett #ruggeddevops
Happy Path
Engineering

16. @wickett #ruggeddevops
We also optimize
for the possible

17. @wickett #ruggeddevops
Over Engineering

18. @wickett #ruggeddevops
The scaling algo
that never got used…

19. @wickett #ruggeddevops
There is too much to
choose from in the
realm of possible

20. @wickett #ruggeddevops
Actually, we optimize for
the perceived probable

21. @wickett #ruggeddevops
How do we know
what to create?

22. @wickett #ruggeddevops
This is the problem

23. @wickett #ruggeddevops
Epistemological
Problem of Software
Development

24. @wickett #ruggeddevops
We gather data and
rhetoric to support
our theories

25. @wickett #ruggeddevops
There are 3 major
arcs in the history of
Software Development

26. @wickett #ruggeddevops
First Arc:
Agile

27. @wickett #ruggeddevops
Agile avoids the
problem

28. @wickett #ruggeddevops
Agile reminds that
we dont know what
we are building

29. @wickett #ruggeddevops

30. @wickett #ruggeddevops
Behavior Driven
Development

31. @wickett #ruggeddevops
BDD = Agile +
feedback

32. @wickett #ruggeddevops
Behavior Driven Development is a
second-generation, outside–in, pull-
based, multiple-stakeholder, multiple-
scale, high-automation, agile
methodology. It describes a cycle of
interactions with well-defined
outputs, resulting in the delivery of
working, tested software that matters.
Dan North , 2009

33. @wickett #ruggeddevops
Amplify
Feedback
Loop

34. @wickett #ruggeddevops
Agile emphasizes
feedback to developers
from their overlords and
sometimes even customers

35. @wickett #ruggeddevops
TLDR;
Rapid Iterations Win

36. @wickett #ruggeddevops
Agile is
our guiding
Light

37. @wickett #ruggeddevops
The world has
changed since Agile

38. @wickett #ruggeddevops
We don’t sell
CD’s anymore

39. @wickett #ruggeddevops
Software as a
Service

40. @wickett #ruggeddevops
The last fifteen years have
brought a complete change in
our delivery cadence,
distribution mechanisms and
revenue models

41. @wickett #ruggeddevops
Second Arc: DevOps

42. @wickett #ruggeddevops
DEVOPS IS THE APPLICATION OF
AGILE METHODOLOGY TO SYSTEM
ADMINISTRATION
- THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK

43. @wickett #ruggeddevops
DEVOPS

44. @wickett #ruggeddevops
Agile
Infrastructure

45. @wickett #ruggeddevops
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

46. @wickett #ruggeddevops
Less WIP
Less technical debt

47. @wickett #ruggeddevops
Customers actually using
the feature while the
developer is working on it

48. @wickett #ruggeddevops
Great side effect:
Produces Happy Developers

49. @wickett #ruggeddevops

50. @wickett #ruggeddevops

51. @wickett #ruggeddevops
Devops realized that ops
doesn’t know what devs
know and vice versa

52. @wickett #ruggeddevops
Dev : Ops
10 : 1

53. @wickett #ruggeddevops
DevOps is an Epistemological
breakthrough joining people
around a common problem

54. @wickett #ruggeddevops
Culture is the most
important aspect to devops
succeeding in the enterprise
- Patrick DeBois

55. @wickett #ruggeddevops
Culture is shaped in
part by values

56. @wickett #ruggeddevops

57. @wickett #ruggeddevops
Mutual Understanding
Shared Language
Shared Views
Collaborative Tooling

58. @wickett #ruggeddevops
DEVOPS IS THE INEVITABLE RESULT OF NEEDING
TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED
COMPUTING AND CLOUD] ENVIRONMENT.
- TOM LIMONCELLI

59. @wickett #ruggeddevops
https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf

60. @wickett #ruggeddevops
TLDR;
High-performing IT
organizations experience 60X
fewer failures and recover from
failure 168X faster than their
lower-performing peers. They
also deploy 30X more frequently
with 200X shorter lead times.

61. @wickett #ruggeddevops
Culture
Automation
Measurement
Sharing
- @damonedwards, @botchagalupe

62. @wickett #ruggeddevops
Devops gone wrong

63. @wickett #ruggeddevops
“THAT THE WORD #DEVOPS GETS REDUCED
TO TECHNOLOGY IS A MANIFESTATION OF
HOW BADLY WE NEED A CULTURAL SHIFT”
- @PATRICKDEBOIS
http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops

64. @wickett #ruggeddevops
Third Arc:
Continuous
Delivery

65. @wickett #ruggeddevops
Continuous Delivery is not
merely how often you
deliver but how little
you can deliver at a time

66. @wickett #ruggeddevops
Delivery
Pipelines
are rad!

67. @wickett #ruggeddevops
Batch Size of 1

68. @wickett #ruggeddevops
Separation of Duties
Considered Harmful

69. @wickett #ruggeddevops
Give power to the
Developers to deploy

70. @wickett #ruggeddevops
Reduce Code Latency
Increase Code Velocity

71. @wickett #ruggeddevops
3 Arcs:
Agile
DevOps
Continuous Delivery

72. @wickett #ruggeddevops
The next Arc:
Security
Rugged

73. @wickett #ruggeddevops
“…Those stupid developers”
- Security person

74. @wickett #ruggeddevops
“Security prefers a system
powered off and unplugged”
- Developer

75. @wickett #ruggeddevops
Cultural Unrest
with security in
most organizations

76. @wickett #ruggeddevops
Compliance Driven
Culture

77. @wickett #ruggeddevops
“[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY: THAT STRUCTURED
INADEQUACY IS ALMOST AS GOOD AS
ADEQUACY AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS GOOD AS
PROPERLY FUNDED SECURITY WORK”

78. @wickett #ruggeddevops
Security is where ops
was 5 years ago…

79. @wickett #ruggeddevops
Dev : Ops : Sec
100 : 10 : 1

80. @wickett #ruggeddevops
Understaffing means
no one thinks security
helps the business win

81. @wickett #ruggeddevops
DevOps changed that
for Ops, security can
change too

82. @wickett #ruggeddevops
Netflix
demonstrated
that people
care about
resiliency

83. @wickett #ruggeddevops
Innately, we all care

84. @wickett #ruggeddevops
Rugged Software Movement

85. @wickett #ruggeddevops
#ruggeddevops

86. @wickett #ruggeddevops
https://vimeo.com/54250716

87. @wickett #ruggeddevops
http://www.youtube.com/watch?v=jQblKuMuS0Y

88. @wickett #ruggeddevops
Security’s way forward is to
help developers and help
operations

89. @wickett #ruggeddevops
Start there

90. @wickett #ruggeddevops
Let’s review Security’s
approach thus far

91. @wickett #ruggeddevops
BadIdea #1
Applications can’t be
defended—Web App
Firewalls Suck!
lets do developer training

92. @wickett #ruggeddevops

93. @wickett #ruggeddevops

94. @wickett #ruggeddevops
Awareness campaign
OWASP Top Ten

95. @wickett #ruggeddevops
We abandoned knowing
anything useful about
the Runtime

96. @wickett #ruggeddevops
Instead Add Defense
based on behaviors

97. @wickett #ruggeddevops
BadIdea #2
Developers can’t figure it out.
lets scan for vulnerabilities
instead

98. @wickett #ruggeddevops
“here is a 400 page PDF of
our findings to prove your
developers don't get it!”
- The Pen tester

99. @wickett #ruggeddevops
Even with the emphasis
on appsec training, in
practice we made it a
dark art

100. @wickett #ruggeddevops
Integrated rugged
testing should sit
inside the pipeline

101. @wickett #ruggeddevops
BadIdea #3
With the new alignment
to vulnerability scanning,
there is a tendency to Fix
the Low-Hanging Fruit

102. @wickett #ruggeddevops

103. @wickett #ruggeddevops
we still don't know
who is attacking us

104. @wickett #ruggeddevops
We still don't
actually know what
they are attacking

105. @wickett #ruggeddevops
Real Threats go Unknown
so Developers fix what the
automated tooling detected
at a certain point in time

106. @wickett #ruggeddevops
Add Application
Security Telemetry

107. @wickett #ruggeddevops
badidea #4
Put in tooling that no
one outside of security
can understand

108. @wickett #ruggeddevops
usually in the name
of compliance

109. @wickett #ruggeddevops
“Get a Web App Firewall
dude!”
- PCI-DSS Req 6.6

110. @wickett #ruggeddevops

111. @wickett #ruggeddevops
Choose your own
adventure…

112. @wickett #ruggeddevops
smallest possible
solution you can
consider a WAF…

113. @wickett #ruggeddevops
Our CDN added
ModSecurity Ruleset
Huzzah!

114. @wickett #ruggeddevops
An appliance that
blocks all the things

115. @wickett #ruggeddevops
And now you wonder
why no one eats lunch
with you anymore

116. @wickett #ruggeddevops
“every aspect of managing WAFs is an
ongoing process. This is the antithesis
of set it and forget it technology.
That is the real point of this research.
To maximize value from your WAF you
need to go in with everyone’s eyes open
to the effort required to get and keep
the WAF running productively.”
- a whitepaper from a WAF vendor

117. @wickett #ruggeddevops

118. @wickett #ruggeddevops
Ok, Security has to change…
How do we add value
already?

119. @wickett #ruggeddevops
Two ways!

120. @wickett #ruggeddevops
Add value to Devs
Add value to ops

121. @wickett #ruggeddevops
Pray that someone
notices

122. @wickett #ruggeddevops

123. @wickett #ruggeddevops
Pro-Tip #1
Automate security tooling
to run in testing

124. @wickett #ruggeddevops
Start with Adding just one
test for XSS on a few pages
in your app

125. @wickett #ruggeddevops

126. @wickett #ruggeddevops
gauntlt automates
security tools

127. @wickett #ruggeddevops
GAUNTLT
Open source, MIT License
Gauntlt comes with pre-canned steps that hook
security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr

128. @wickett #ruggeddevops

129. @wickett #ruggeddevops

130. @wickett #ruggeddevops

131. @wickett #ruggeddevops

132. @wickett #ruggeddevops

133. @wickett #ruggeddevops
here’s an XSS attack
you can use

134. @wickett #ruggeddevops
@slow @final
Feature: Look for cross site scripting (xss) using arachni
against a URL
Scenario: Using arachni, look for cross site scripting and
verify no issues are found
Given "arachni" is installed
And the following profile:
| name | value |
| url | http://localhost:8008 |
When I launch an "arachni" attack with:
"""
arachni --modules=xss --depth=1 --link-count=10 --auto-
redundant=2 <url>
"""
Then the output should contain "0 issues were detected."

135. @wickett #ruggeddevops
http://theagileadmin.com/2015/06/09/pragmatic-security-and-
rugged-devops/

136. @wickett #ruggeddevops
github.com/gauntlt/gauntlt-demo

137. @wickett #ruggeddevops
Email book@gauntlt.org
before the end of the day
for a review copy
Hands-on Gauntlt Book
for Goto Attendees

138. @wickett #ruggeddevops
Pro-tip #2
Put security testing in
your continuous
integration system

139. @wickett #ruggeddevops

140. @wickett #ruggeddevops

141. @wickett #ruggeddevops
https://speakerdeck.com/garethr/battle-tested-code-without-the-battle

142. @wickett #ruggeddevops
Pro-Tip #3
Add Application Security
telemetry to devs and ops

143. @wickett #ruggeddevops
Convert App Security
Logs into metrics in the
systems dev and ops use
StatsD

144. @wickett #ruggeddevops
RunTime Correlation
between biz, ops, dev, sec

145. @wickett #ruggeddevops
SQLi Attempts + HTTP 500’s
or
login spikes + transaction
decrease

146. @wickett #ruggeddevops
Runtime
Instrumentation for
Application Security

147. @wickett #ruggeddevops
Pro-Tip #4
Get hugs from the
auditors and add
Hardening and Audit using
config management

148. @wickett #ruggeddevops
Open Source
Hardening Framework
chef/puppet/ansible
http://hardening.io/

149. @wickett #ruggeddevops
Run Nightly Audits of
your Hardening using
Config Management
(Chef audit mode)
https://www.chef.io/blog/2015/04/09/chef-audit-mode-cis-benchmarks/

150. @wickett #ruggeddevops
OS and Config
Management

151. @wickett #ruggeddevops
reverse the trend
Add Value to Devs
Add Value to Ops

152. @wickett #ruggeddevops
Software development has been a constant experiment in how we
know anything
Application Security abdicated runtime responsibility and effectively
abdicated development responsibility through incoherent
philosophical approaches and fostering organizational silos
DevOps is here to stay, and security can actually be a part of it
Ops found a way to add value, security needs to find that same
path
There are three ways we can add value: at development, at deploy,
at runtime
Summary

154. Thanks !